diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/ConfigHelper.java b/core/src/com/cloud/agent/resource/virtualnetwork/ConfigHelper.java index 8154d681bb5..d8b33550b7f 100644 --- a/core/src/com/cloud/agent/resource/virtualnetwork/ConfigHelper.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/ConfigHelper.java @@ -20,6 +20,7 @@ package com.cloud.agent.resource.virtualnetwork; import java.io.UnsupportedEncodingException; +import java.util.ArrayList; import java.util.HashMap; import java.util.LinkedList; import java.util.List; @@ -60,10 +61,16 @@ import com.cloud.agent.api.to.IpAddressTO; import com.cloud.agent.api.to.NicTO; import com.cloud.agent.api.to.PortForwardingRuleTO; import com.cloud.agent.api.to.StaticNatRuleTO; +import com.cloud.agent.resource.virtualnetwork.model.AclRule; +import com.cloud.agent.resource.virtualnetwork.model.AllAclRule; import com.cloud.agent.resource.virtualnetwork.model.GuestNetwork; +import com.cloud.agent.resource.virtualnetwork.model.IcmpAclRule; import com.cloud.agent.resource.virtualnetwork.model.IpAddress; import com.cloud.agent.resource.virtualnetwork.model.IpAssociation; import com.cloud.agent.resource.virtualnetwork.model.NetworkACL; +import com.cloud.agent.resource.virtualnetwork.model.ProtocolAclRule; +import com.cloud.agent.resource.virtualnetwork.model.TcpAclRule; +import com.cloud.agent.resource.virtualnetwork.model.UdpAclRule; import com.cloud.network.HAProxyConfigurator; import com.cloud.network.LoadBalancerConfigurator; import com.cloud.network.rules.FirewallRule; @@ -558,20 +565,45 @@ public class ConfigHelper { String netmask = Long.toString(NetUtils.getCidrSize(nic.getNetmask())); StringBuilder sb = new StringBuilder(); + List ingressRules = new ArrayList(); + List egressRules = new ArrayList(); + for (int i = 0; i < aclRules.length; i++) { - sb.append(aclRules[i]).append(','); + AclRule aclRule; + String[] ruleParts = aclRules[i].split(":"); + switch (ruleParts[1].toLowerCase()) { + case "icmp": + aclRule = new IcmpAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[2]), Integer.parseInt(ruleParts[3])); + break; + case "tcp": + aclRule = new TcpAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[2]), Integer.parseInt(ruleParts[3])); + break; + case "udp": + aclRule = new UdpAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[2]), Integer.parseInt(ruleParts[3])); + break; + case "all": + aclRule = new AllAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5])); + break; + default: + aclRule = new ProtocolAclRule(ruleParts[4], "ACCEPT".equals(ruleParts[5]), Integer.parseInt(ruleParts[1])); + } + if ("Ingress".equals(ruleParts[0])) { + ingressRules.add(aclRule); + } else { + egressRules.add(aclRule); + } } - String rule = sb.toString(); + sb.toString(); - NetworkACL networkACL = new NetworkACL(dev, nic.getMac(), privateGw != null, nic.getIp(), netmask, rule); + NetworkACL networkACL = new NetworkACL(dev, nic.getMac(), privateGw != null, nic.getIp(), netmask, ingressRules.toArray(new AclRule[ingressRules.size()]), + egressRules.toArray(new AclRule[egressRules.size()])); ConfigItem networkAclFile = new FileConfigItem(VRScripts.CONFIG_PERSIST_LOCATION, VRScripts.NETWORK_ACL_CONFIG, gson.toJson(networkACL)); cfg.add(networkAclFile); ConfigItem updateNetworkACL = new ScriptConfigItem(VRScripts.UPDATE_CONFIG, VRScripts.NETWORK_ACL_CONFIG); cfg.add(updateNetworkACL); - return cfg; } diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/AclRule.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/AclRule.java new file mode 100644 index 00000000000..520fc661a0a --- /dev/null +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/AclRule.java @@ -0,0 +1,60 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package com.cloud.agent.resource.virtualnetwork.model; + +public abstract class AclRule { + private String cidr; + private boolean allowed; + + public String getCidr() { + return cidr; + } + + public void setCidr(String cidr) { + this.cidr = cidr; + } + + public boolean isAllowed() { + return allowed; + } + + public void setAllowed(boolean allowed) { + this.allowed = allowed; + } + + protected AclRule() { + // Empty constructor for (de)serialization + } + + protected AclRule(String cidr, boolean allowed) { + this.cidr = cidr; + this.allowed = allowed; + } + +} + +/* +{"device":"eth2","mac_address":"02:00:56:36:00:02","private_gateway_acl":false,"nic_ip":"172.16.1.1","nic_netmask":"24", + "rule":"Ingress:41:0:0:192.168.5.0/24:DROP:," + + "Ingress:all:0:0:192.168.4.0/24:ACCEPT:," + + "Ingress:icmp:8:-1:192.168.3.0/24:ACCEPT:," + + "Ingress:udp:8080:8081:192.168.2.0/24:ACCEPT:," + + "Ingress:tcp:22:22:192.168.1.0/24:ACCEPT:,","type":"networkacl"} + */ \ No newline at end of file diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/AllAclRule.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/AllAclRule.java new file mode 100644 index 00000000000..0f43450c23e --- /dev/null +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/AllAclRule.java @@ -0,0 +1,33 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package com.cloud.agent.resource.virtualnetwork.model; + +public class AllAclRule extends AclRule { + private final String type = "all"; + + public AllAclRule() { + // Empty constructor for (de)serialization + } + + public AllAclRule(String cidr, boolean allowed) { + super(cidr, allowed); + } + +} diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/IcmpAclRule.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/IcmpAclRule.java new file mode 100644 index 00000000000..c8cdd1a54bf --- /dev/null +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/IcmpAclRule.java @@ -0,0 +1,53 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package com.cloud.agent.resource.virtualnetwork.model; + +public class IcmpAclRule extends AclRule { + private final String ruleType = "icmp"; + private int icmpType; + private int icmpCode; + + public IcmpAclRule() { + // Empty constructor for (de)serialization + } + + public IcmpAclRule(String cidr, boolean allowed, int icmpType, int icmpCode) { + super(cidr, allowed); + this.icmpType = icmpType; + this.icmpCode = icmpCode; + } + + public int getIcmpType() { + return icmpType; + } + + public void setIcmpType(int icmpType) { + this.icmpType = icmpType; + } + + public int getIcmpCode() { + return icmpCode; + } + + public void setIcmpCode(int icmpCode) { + this.icmpCode = icmpCode; + } + +} diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/NetworkACL.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/NetworkACL.java index bf79b10a54c..9039e5241cc 100644 --- a/core/src/com/cloud/agent/resource/virtualnetwork/model/NetworkACL.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/NetworkACL.java @@ -25,20 +25,22 @@ public class NetworkACL extends ConfigBase { private boolean privateGatewayAcl; private String nicIp; private String nicNetmask; - private String rule; + private AclRule[] ingressRules; + private AclRule[] egressRules; public NetworkACL() { setType("networkacl"); } - public NetworkACL(String device, String macAddress, boolean privateGatewayAcl, String nicIp, String nicNetmask, String rule) { + public NetworkACL(String device, String macAddress, boolean privateGatewayAcl, String nicIp, String nicNetmask, AclRule[] ingressRules, AclRule[] egressRules) { setType("networkacl"); this.device = device; this.macAddress = macAddress; this.privateGatewayAcl = privateGatewayAcl; this.nicIp = nicIp; this.nicNetmask = nicNetmask; - this.rule = rule; //FIXME Split this in o + this.ingressRules = ingressRules; + this.egressRules = egressRules; } public String getDevice() { @@ -81,12 +83,20 @@ public class NetworkACL extends ConfigBase { this.nicNetmask = nicNetmask; } - public String getRule() { - return rule; + public AclRule[] getIngressRules() { + return ingressRules; } - public void setRule(String rule) { - this.rule = rule; + public void setIngressRules(AclRule[] ingressRules) { + this.ingressRules = ingressRules; + } + + public AclRule[] getEgressRules() { + return egressRules; + } + + public void setEgressRules(AclRule[] egressRules) { + this.egressRules = egressRules; } } diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/ProtocolAclRule.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/ProtocolAclRule.java new file mode 100644 index 00000000000..02edc81ba4a --- /dev/null +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/ProtocolAclRule.java @@ -0,0 +1,43 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package com.cloud.agent.resource.virtualnetwork.model; + +public class ProtocolAclRule extends AclRule { + private final String type = "protocol"; + private int protocol; + + public ProtocolAclRule() { + // Empty constructor for (de)serialization + } + + public ProtocolAclRule(String cidr, boolean allowed, int protocol) { + super(cidr, allowed); + this.protocol = protocol; + } + + public int getProtocol() { + return protocol; + } + + public void setProtocol(int protocol) { + this.protocol = protocol; + } + +} diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/TcpAclRule.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/TcpAclRule.java new file mode 100644 index 00000000000..afcef965099 --- /dev/null +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/TcpAclRule.java @@ -0,0 +1,53 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package com.cloud.agent.resource.virtualnetwork.model; + +public class TcpAclRule extends AclRule { + private final String type = "tcp"; + private int firstPort; + private int lastPort; + + public TcpAclRule() { + // Empty contructor for (de)serialization + } + + public TcpAclRule(String cidr, boolean allowed, int firstPort, int lastPort) { + super(cidr, allowed); + this.firstPort = firstPort; + this.lastPort = lastPort; + } + + public int getFirstPort() { + return firstPort; + } + + public void setFirstPort(int firstPort) { + this.firstPort = firstPort; + } + + public int getLastPort() { + return lastPort; + } + + public void setLastPort(int lastPort) { + this.lastPort = lastPort; + } + +} diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/model/UdpAclRule.java b/core/src/com/cloud/agent/resource/virtualnetwork/model/UdpAclRule.java new file mode 100644 index 00000000000..03945512e01 --- /dev/null +++ b/core/src/com/cloud/agent/resource/virtualnetwork/model/UdpAclRule.java @@ -0,0 +1,53 @@ +// +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +// + +package com.cloud.agent.resource.virtualnetwork.model; + +public class UdpAclRule extends AclRule { + private final String type = "ucp"; + private int firstPort; + private int lastPort; + + public UdpAclRule() { + // Empty contructor for (de)serialization + } + + public UdpAclRule(String cidr, boolean allowed, int firstPort, int lastPort) { + super(cidr, allowed); + this.firstPort = firstPort; + this.lastPort = lastPort; + } + + public int getFirstPort() { + return firstPort; + } + + public void setFirstPort(int firstPort) { + this.firstPort = firstPort; + } + + public int getLastPort() { + return lastPort; + } + + public void setLastPort(int lastPort) { + this.lastPort = lastPort; + } + +}